0.2.3

error.rs: typo

Cargo.lock

@@ -183,7 +183,7 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.2.2"
+version = "0.2.3"
 dependencies = [
  "cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.2"
+version = "0.2.3"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -14,7 +14,6 @@ categories = ["command-line-utilities"]
 license-file = "LICENSE"
 
 [dependencies]
-#ctap = "0.1.0"
 ctap_hmac = "0.2.1"
 cryptsetup-rs = "0.2.1"
 libcryptsetup-sys = "0.1.2"

README.md

@@ -18,12 +18,16 @@ dnf install cargo cryptsetup-devel -y
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 
 # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
+sudo -E cargo install -f --path . --root /usr
 
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
+# Copy template
+cp dracut/96luks-2fa/fido2luks.conf /etc/
+# Name is optional but useful if your authenticator has a display
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 
+# Load config into env
 set -a
-. dracut/96luks-2fa/fido2luks.conf
+. /etc/fido2luks.conf
 
 # Repeat for each luks volume
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
@@ -45,13 +49,13 @@ sudo make install
 
 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
+Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
-I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
 
 ```
 mkdir /boot/fido2luks/
@@ -61,7 +65,7 @@ cp /etc/fido2luks.conf /boot/fido2luks/
 
 ## Test
 
-Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
+Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
 ```
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
@@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 
 ### Password less
 
-Remove your previous secret as described in the next section, incase you already added one.
+Remove your previous secret as described in the next section, in case you've already added one.
 
 Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
+but be warned that this password will be included to into your initramfs.
 
 Import the new config into env:
 
@@ -96,5 +101,5 @@ set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
-sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -9,7 +9,7 @@ MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
 TIMEOUT=120
-CON_MSG="Please connect your authenicator"
+CON_MSG="Please connect your authenticator"
 
 generate_service () {
         local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -19,6 +19,10 @@ generate_service () {
 
         local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
         local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
+        local fido2luks_args="--bin"
+        if [ ! -z "$timeout" ]; then
+          fido2luks_args="$fido2luks_args --await-dev ${timeout}"
+        fi
         {
                 printf -- "[Unit]"
                 printf -- "\nDescription=%s" "2fa for luks"
@@ -27,18 +31,15 @@ generate_service () {
                 printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
                 printf -- "\nConflicts=umount.target"
                 printf -- "\nDefaultDependencies=no"
-                printf -- "\nJobTimeoutSec=%s" "$timeout"
+                [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
-
                 printf -- "\n\n[Service]"
                 printf -- "\nType=oneshot"
                 printf -- "\nRemainAfterExit=yes"
                 printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
-                printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
+                [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
                 printf -- "\nKeyringMode=%s" "shared"
 		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
-		            printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
-		            printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
-                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
 

src/cli.rs

@@ -8,9 +8,15 @@ use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
 use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;
 
+use failure::_core::fmt::{Error, Formatter};
+use failure::_core::str::FromStr;
+use failure::_core::time::Duration;
 use std::io::Write;
-use std::process::exit;
 
+use std::process::exit;
+use std::thread;
+
+use std::time::SystemTime;
 pub fn add_key_to_luks(
     device: PathBuf,
     secret: &[u8; 32],
@@ -70,6 +76,23 @@ pub fn add_password_to_luks(
     Ok(slot)
 }
 
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(Vec<u8>);
+
+impl std::fmt::Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
+}
+
 #[derive(Debug, StructOpt)]
 pub struct Args {
     /// Request passwords via Stdin instead of using the password helper
@@ -83,11 +106,11 @@ pub struct Args {
 pub struct SecretGeneration {
     /// FIDO credential id, generate using fido2luks credential
     #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub credential_id: String,
+    pub credential_id: HexEncoded,
     /// Salt for secret generation, defaults to 'ask'
     ///
     /// Options:{n}
-    ///  - ask              : Promt user using password helper{n}
+    ///  - ask              : Prompt user using password helper{n}
     ///  - file:<PATH>      : Will read <FILE>{n}
     ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
     #[structopt(
@@ -104,6 +127,15 @@ pub struct SecretGeneration {
         default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
     )]
     pub password_helper: PasswordHelper,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_authenticator: u64,
 }
 
 impl SecretGeneration {
@@ -117,8 +149,23 @@ impl SecretGeneration {
 
     pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
         let salt = self.salt.obtain(&self.password_helper)?;
+        let timeout = Duration::from_secs(self.await_authenticator);
+        let start = SystemTime::now();
+
+        while let Ok(el) = start.elapsed() {
+            if el > timeout {
+                Err(error::Fido2LuksError::NoAuthenticatorError)?;
+            }
+            if get_devices()
+                .map(|devices| !devices.is_empty())
+                .unwrap_or(false)
+            {
+                break;
+            }
+            thread::sleep(Duration::from_millis(500));
+        }
         Ok(assemble_secret(
-            &perform_challenge(&self.credential_id, &salt)?,
+            &perform_challenge(&self.credential_id.0, &salt)?,
             &salt,
         ))
     }
@@ -142,13 +189,12 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
-        /// Use a keyfile instead of a password
+        /// Use a keyfile instead of typing a previous password
         #[structopt(short = "d", long = "keyfile")]
         keyfile: Option<PathBuf>,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
     },
-
     /// Replace a previously added key with a password
     #[structopt(name = "replace-key")]
     ReplaceKey {
@@ -157,7 +203,7 @@ pub enum Command {
         /// Add the password and keep the key
         #[structopt(short = "a", long = "add-password")]
         add_password: bool,
-        /// Use a keyfile instead of a password
+        /// Use a keyfile instead of typing a previous password
         #[structopt(short = "d", long = "keyfile")]
         keyfile: Option<PathBuf>,
         #[structopt(flatten)]

src/device.rs

@@ -64,9 +64,9 @@ pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredent
     Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }
 
-pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
+pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
     let cred = FidoHmacCredential {
-        id: hex::decode(credential_id).unwrap(),
+        id: credential_id.to_vec(),
         rp_id: RP_ID.to_string(),
     };
     let mut errs = Vec::new();

src/error.rs

@@ -11,11 +11,11 @@ pub enum Fido2LuksError {
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
     AuthenticatorError { cause: ctap::FidoError },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
     #[fail(display = "luks err")]
     LuksError { cause: cryptsetup_rs::device::Error },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,